iframe

An inner frame that works much like the HTML iframe element. The src attribute can be used to specify the content of the frame. This content is a separate document. The children of the iframe are ignored.

Currently, XUL iframes running in remote processes are not supported. If you want to run content in a remote process, use a XUL browser element.

Warning: When used in Chrome-priviledged documents (either html or xul) such as Firefox addons, the contents of the frame may have the same permissions as Firefox itself. This can be a serious security vulnerability, for example if you use src="http://...". When used in this case, please see Displaying web content in an extension without security issues.

The type of browser, which can be used to set the access of the document loaded inside the browser. If this is not set, the loaded document has the same access as the window containing the browser. More precisely: The documented loaded into a chrome window is always of chrome type. Subdocuments of chrome documents are of chrome type unless the container element (one of iframe, browser or editor) has one of the special type attribute values (the common ones are content, content-targetable and content-primary) indicating that the subdocument is of content type. This boundary has a number of special effects such has making window.top == window and preventing documents from inheriting the principal of the parent document. The type attribute on all frames in content documents is ignored; subdocuments of content documents are always content documents.

Warning: The type attribute must be set before the element is inserted into the document.

content

A browser for content. The content that is loaded inside the browser is not allowed to access the chrome above it.

content-primary

The primary browser for content. The content that is loaded inside the browser is not allowed to access the chrome above it. For instance, in a web browser, this would be the element that displays the web page. The window for the primary content can be retrieved more conveniently using window.content.

content-targetable

One browser among many for content. The content that is loaded inside the browser is not allowed to access the chrome above it. This is the preferred value for any browser element in an application that will use multiple browsers of equal privileges and is unselected at the moment.

chrome

(default behaviour): A browser, intended to be used for loading privileged content using a chrome:// URI. Don't use for content from web, as this may cause serious security problems!